Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff

Created on ‎06-30-2021 02:08 AM

Article Id 190874

Technical Tip: Using certificate as additional authentication factor for users with FortiToken

Description
This article provides a configuration sample for utilizing an SSL VPN user with FortiToken as a second factor of authentication and the certificate verification as additional authentication factor.

Scope
For version 6.4.5 and upper.

Solution
1) Create a user with a FortiToken:
# config user local
    edit "userA"
        set type ldap                   <----- Any user type can be used (does not necessarily have to be LDAP user).
        set two-factor fortitoken
        set fortitoken "FTKMOBXXXXXXXX"
        set email-to "aaa@lab.lab"
        set ldap-server "LDAP_lab"
end
2) Import the CA certificate that signed the certificate which will be used for the authentication:
Go to System -> Certificates -> Import -> CA Certificate.

3) Define the certificate matching criteria:
# config user peer
    edit "test"
        set ca "CA_Cert_1"              <----- It is possible to set up additional certificate matching criteria.
end
NOTE.
Machine/computer certificates can be utilized as well.

4) Create a binding between the user and the certificate check:
# config vpn ssl settings
# config authentication-rule
    edit 1
        set users "userA"
        set portal "full-access"
        set client-cert enable
        set user-peer "test"
    end
end
5) The firewall policy is set only with the user defined in step 1).
# config firewall policy
    edit 1
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_pool"
        set dstaddr "example.com"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set users "userA"
        set nat enable
    next
end

Related Articles

Technical Note: FortiClient with user certificate stored in local machine certification store

Technical Tip: RADIUS authentication and client certificates in SSL VPN

Labels:
3293
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.